Windows Time Server

Posted on 2014-11-05
Medium Priority
Last Modified: 2014-12-16
One of our NTP time servers is a standalone physical server. It gets its time from external time sources. This server is being replaced by a server which will be joined to our active directory.  I realize all computers joined to a domain get their network time from the Domain Controllers. Hopefully it can still be used as a network time server.

Unfortunately our time clients are configured with an IP address instead of a dns name. The replacement server will inherit the old server's IP address so changes to the client's time config should not be needed.

Can this new server (joined to the AD) still be configured to go the internet to get time and act as a time server?  

The old server is Windows 2003 sp2 stand alone.  New server is Windows 2008 R2.
Question by:epmmis
  • 3
  • 2
LVL 35

Expert Comment

ID: 40425354
It can, but as you stated domain computers are configured, by default, to obtain their time source from the Domain Hierarchy.  This domain time source is recommended to be the PDC Emulator.  Otherwise, you can configure group policies so that the domain computers can get their time from a different source, in this case, the time server will be treated as an external time source.

LVL 29

Expert Comment

by:Dan McFadden
ID: 40425956
To be even more specific... the PDC FSMO holder should  be configured to be the only DC to go to an external (reliable) time source.  All other DCs (FSMO holder or not) reference the PDC Role holder as a trust time device.  Then all domain joined clients use the DC infrastructure to get time.

You need to manually configure your PDC Role holder, reference link below:


I agree with it_saige that you could update your desktops/laptops/workstations with a GPO but as for other devices that pull time via IP, those should be pointed to the DC which holds the PDC FSMO.

As a 2nd option, you could DCPromo the replacement server and then transfer the PDC Role to it.  Then follow the instructions in the link above to configure the PDC Role holder as a reliable time source for the domain.  But I do not know what your domain looks like, how your network is setup or where all the DC exist on the network.


Author Comment

ID: 40426782
I am sorry did not make my request clear.  The domain will continue to use the PDC emulator DC to get their time.  This is not an attempt to change how the domain processes time.

This new server will be the time source for other physical servers, such as my linux servers.  My domain controllers (and most of my AD) is virtualized.  It is best the physical host servers and my linux servers get their time from a physical server independent of the virtualize domain controllers.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

LVL 35

Assisted Solution

it_saige earned 750 total points
ID: 40426828
My post may have been overcomplicated.  In short, yes, you can do whay you want.

LVL 35

Expert Comment

ID: 40426908
I might add, though, since you are implementing (or redeploying) your own time server, that already connects to an external time source, there is nothing that states that your PDC emulator cannot use this server as it's external time source.  This might also be a best practice so that you do not request time updates too frequently from your external source(s).

LVL 29

Accepted Solution

Dan McFadden earned 750 total points
ID: 40427023
I agree with it_saige.  If this redeployed server is configured as a trusted time source, you can point the PDC Holder to that device.  This also allows you to reduce the outbound NTP traffic and limit it to only this physical server.

BTW, external time source refers to a device providing reliable NTP services, that is not contained within the PDC holder server.  The external time source can easily be an NTP device on the internal network.

Whether or not your reliable NTP server is inside of outside your network, in no way dictates the frequency of time update requests.  The frequency of updates is dictated by the configuration of the service making the requests.


Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question